Supplying Legal Notices for Free Software in your Products

By Fredrik Ohrstrom
December 2, 2017

The CPU inside your computer contains its own software installed by the CPU manufacturer. This software is used to bootstrap your computer, for example by configuring the hardware before control is handed over to the operating system. To provide for remote management this software can also run after bootstrap, while you are using your computer. For recent Intel CPUs, security researchers have shown that the remote management software is probably running its own operating system based on Minix 3 which is released under a Free Software licence. This license, like many other Free Software licenses, require a legal notice to be given to the recipient when the software is distributed. Alas, it seems like Intel has not done so and as a result the distribution of Minix 3 inside the recent Intel CPUs could be copyright infringement.

Remote Administration

For the benefit of remote administration of your computer, Intel has placed a control CPU inside every x86 CPU sold for the last couple of years. This CPU is called the Intel Management Engine (ME) and it can intercept and control almost anything the main CPU does including writing to your hard disk. Security researcher Ververis writes that it can even communicate over the network when the main CPU is powered off and the power plug remains in the computer. Sometimes this is desirable, for example if your firm wants to remotely manage a large fleet of servers. Unfortunately the ME is also most likely inside your latest x86 laptop or desktop and you are not allowed to replace the software inside the ME, nor examine it for faults or bugs. And bugs there are, for example a remote exploit for your CPU, a USB device exploit and many more.

The functionality the ME offers is not bad per se, the problem is that you yourself are not holding the keys. Ronald Minnich at Google is fighting for you to have complete control of your CPU.

Of course, Intel tells everyone that the ME is safe and “good for you” and it helps with everything from booting your computer, dealing with your hardware drivers and potential remote upgrades. Well, the road to hell is paved with good intentions. The ME can be used to make it harder for you to pirate media (protected media path) but, ironically, the ME is perhaps using pirated Free Software to do so.

Pirated Free Software, eh?

This might sound like an oxymoron, how can you pirate Free Software? Simple, if you do not comply with the terms and conditions of a Free Software license, then you have no right to distribute the software.

Some Free Software licenses are copyleft and require several conditions to be met for legal distribution. Some other Free Software licenses, like BSD style licenses, are non-copyleft, and even if they have fewer conditions, they still have conditions.

In April this year, it was discovered that there are strings inside the ME software that indicates that there is a Minix 3 Operating System installed inside ME version 11 and onwards.

Why has it been “discovered” that it runs Minix? Well, it seems like Intel wants to keep the inside of the Management Engine secret, so they have obfuscated the binaries using a Huffman code that has not yet been deciphered. But from the partial results so far, there are indications that there is Minix 3 in in there.

This finding is also supported by the author of Minix, Andrew Tanenbaum, who explains that Intel did contact him a couple of years ago to ask for help about Minix, not telling him what Minix 3 was to be used for. Tanenbaum states that if they had told him how they intended to use it, he would definitely have objected to that use.

Now, Minix 3 is licensed under a BSD-style license and condition 2 states that if you want to distribute binary forms of Minix 3, you have to give legal notice:

“Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.”

Legal Notices everywhere

Most Free Software licenses actually have the requirement of legal notices. If you pick up your iPhone right now and navigate to Settings -> General -> About -> Legal -> Legal Notices, then you will find all legal notices required for all the Free Software inside your iPhone. (Well, the ones that Apple knows about anyway.) If you have an Android, navigate to Settings -> About phone -> Legal information -> Open source licenses and System WebView licenses.

For other applications, you can find a menu somewhere, that says Legal Information or Legal Notices or Third Party Licenses etc. It can also be printed in the documentation and/or other material provided with the product. Look for it and you will find it. If you yourself are distributing an application in which you use Free Software and you do not provide the legal notices, then perhaps it is time for you to do that now.

Now, it does not seem like Intel has provided the proper legal notice for the Minix 3 software. The surprise of the security researchers and Tanenbaum indicates that this knowledge has been purposefully hidden. Unfortunately for Intel, a Free Software license with a clause requiring a legal notice is not compatible with secretive distribution.

Anyone who distributes the CPU must provide the legal notice, i.e. not just Intel but also the computer manufacturers who placed the CPU in a computer, and the sales companies that eventually sold the computer to you.

Minix 3 might not be the only Free Software hidden inside the ME. For example, the ME also contains a web server. Did Intel write one from scratch or did they pick a web server licensed under a Free Software license? Maybe there are more tool/library authors that might have claims against Intel, the computer manufacturers and the sales companies, because of the lack of legal notices?

Damages and injunctions when infringing Free Software

What kind of claims? The software is released for free use, so what kind of damage can be relevant?

Well, even though people who create Free Software might not necessarily be interested in monetary compensation, they are however usually interested in being named as the author. This is a right which is also part of copyright law in many jurisdictions. This can give rise to a right for compensation for the loss of not being named as an author of the distributed work.

A secretive use of Free Software inside what Tanenbaum himself calls a “spy engine”, can also be said to explicitly contradict the intent of the author of the Free Software. As Tanenbaum writes: “I certainly wouldn’t have cooperated even though all they wanted was reducing the memory footprint (= chip area for them).” One might therefore expect that it would have been costly for Intel to buy Tanenbaum’s cooperation for secret distribution of Minix 3, had it been at all possible. Thus, there is a potential for awarding damages in this situation and argue that the infringing code inside the Management Engine should be erased.

Normally, there is a very small risk of being sued for accidentally missing a legal notice, since the authors of Free Software have better things to do. In this case however, Intel has, perhaps with intent, contradicted the license for a purpose that Free Software authors dislike. Also, the amount of damages that can be argued for, is remarkable. Think about it; the software is probably in almost every x86 Skylake CPU sold in the world for the last couple of years. Perhaps this will be the first case where a BSD style license is tested in court.

What happens if Intel scrambles to produce a list of all the necessary legal notices for software inside the ME, and also gets the manufacturers and sales companies to distribute the list too? For sure, future CPUs might no longer be infringing, but does this fix the previous copyright infringements? No, not necessarily. The window of opportunity to distribute the legal notice with already sold CPUs is probably long gone.

Of course, we cannot yet be completely sure that Intel did not produce such a legal notice, perhaps there is a file with the ME legal notices in the default Windows installation, perhaps printed in ultra-fine-print in a manual or on a flimsy bit of paper that everyone throws away when they unpack the computer. If someone finds such a list, then I am sure the security researchers would be very interested in it.

In any case, this is a good lesson for any company using Free Software. Don’t forget the legal notices!

The Author

Fredrik Ohrstrom

Fredrik Ohrstrom is a software and patent engineer who works in Stockholm, Sweden. He is currently working as a consultant creating provably secure software. Previously he has built the Spotify patent portfolio and contributed to the Java language and Virtual Machine while working for Oracle.

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently 5 Comments comments. Join the discussion.

  1. Darrin December 2, 2017 1:23 pm

    The cost of noncompliance can be enormous. Software audits will only increase due to the explosion of IoT devices entering the market. Entrepreneurs beware.

    *** I checked the “Legal Notices” on my iPhone and it took 25 swipes to reach the bottom!

  2. N.N. December 10, 2017 5:04 am

    Even if there was a file in the default Windows installatiob, who would ever see it? Companies overwrite those with their own images and I haven’t even once started a new computet without some installation media (usually Ubuntu) attached for years.

  3. Someone Somewhere December 10, 2017 12:07 pm

    A notice buried inside Windows likely wouldn’t be adequate, as plenty of people buy the chips on their own or in devices without windows.

    It would need to be in the retail packaging for CPUs, and also in any device that ships with them.

  4. tzs December 10, 2017 4:30 pm

    “Anyone who distributes the CPU must provide the legal notice, i.e. not just Intel but also the computer manufacturers who placed the CPU in a computer, and the sales companies that eventually sold the computer to you.”

    Wouldn’t they be covered by the first sale doctrine?

  5. Ruud Bleeker December 11, 2017 4:57 am

    So who would be willing and legally able to take up this case? I know Andy Tanenbaum personally and I doubt he’d be willing to get into a legal battle with a juggernaut like Intel.

Post a Comment

Respectfully add to the discussion.

Name *
Email *
Website